As AI systems increasingly rely on open-source infrastructure, strengthening the security of critical shared components becomes essential for the health of the broader software ecosystem. GitHub's Secure Open Source Fund was created to help critical open-source projects improve their security posture through direct funding, expert support, and a structured security program.

We're proud to share that PageIndex has been selected to join GitHub's Secure Open Source Fund. As part of this initiative, PageIndex will work alongside a group of high-impact open-source projects, including Ollama, OpenClaw, LangChain, Pandas, OpenCV, and CAMEL-AI to help secure the future of the software supply chain.

Why this matters to us

PageIndex is a vectorless, reasoning-based RAG system that builds a hierarchical tree index from long documents and uses LLM reasoning and tree search to retrieve information like a human expert would. Instead of relying on vector similarity, it uses document structure, section hierarchy, and reasoning to locate the most relevant evidence, without requiring a vector database or artificial chunking. Read more in our PageIndex Intro blog.

That architecture creates real opportunities for better long-document retrieval, especially in domains where structure, context, and explainability matter. A financial QA use case built on PageIndex achieved 98.7% accuracy on FinanceBench, highlighting PageIndex's strength in professional document analysis. You can read more in the Mafin 2.5 blog and explore additional posts here.

But building core infrastructure for long-context AI also means taking security seriously.

PageIndex sits at the intersection of your unstructured data and your LLM. When you use it to process PDFs or internal docs, you are trusting us with your "context." That trust carries real responsibility, especially because the project is often used in high-value workflows: financial reports, regulatory filings, technical documentation, long-form research, legal materials, and other complex documents where correctness and traceability matter.

In those environments, security is not just about preventing obvious vulnerabilities. It is also about building reliable systems that developers and enterprises can confidently adopt. It means reducing supply-chain risk, improving release integrity, tightening development practices, and making it easier for the community to report and address issues responsibly.

As GitHub notes, securing widely used open-source projects helps reduce systemic risk across the broader software ecosystem. That framing resonates deeply with us. Open source is shared infrastructure. If it is important enough to build on, it is important enough to secure.

What we want to accomplish

Joining GitHub's Secure Open Source Fund is an opportunity for PageIndex to raise the bar on security in a more structured and durable way. Our goal is not just to "check boxes." It is to strengthen the foundation of the project for the long term. That includes work across areas such as:

1. Hardening the software supply chain

One immediate priority is improving the security of how PageIndex is built and released. That includes reviewing dependencies, tightening CI/CD workflows, reducing unnecessary permissions in automation, and improving the controls around releases and repository settings.

2. Making secure development part of the workflow

We also want security checks to be embedded directly into day-to-day development, rather than treated as a separate exercise after code has already shipped. Tools such as GitHub CodeQL make that possible by helping surface vulnerable patterns earlier in the development process, while GitHub's broader security tooling can support areas such as dependency review, secret protection, and repository hardening.

3. Improving visibility into risk

Another goal is to become more disciplined about understanding where risk actually lives in the project. That includes better threat modeling, clearer security review processes, and a more structured way to prioritize and respond to issues.

4. Strengthening trust through process and transparency

PageIndex has always cared about retrieval that is more traceable and explainable. We think security should be approached with the same discipline. Clear policies, responsible disclosure paths, documented response processes, and better internal security practices all contribute to making infrastructure more trustworthy.

5. Supporting safer adoption as the ecosystem grows

PageIndex today is used in multiple ways, including open-source components, hosted experiences, APIs, and integration workflows. As that footprint expands, the security expectations around the project rise with it.

Thank you

This marks the start of a deeper security journey for PageIndex. Beyond the recognition, the fund gives us the resources, expertise, and structure to strengthen the project where it matters most, and to do so in the open, alongside teams facing the same challenges.

We're grateful to GitHub, the Secure Open Source Fund partners, and the wider open-source security community for investing in the shared infrastructure the ecosystem depends on. And we're grateful to the developers, researchers, and users whose trust and contributions have shaped PageIndex into a project worthy of this opportunity.

PageIndex was built to help AI systems retrieve information from long, complex documents the way humans do: with structure, reasoning, and context. We're now extending that same rigor to the security of the infrastructure behind it.

For foundational AI infrastructure, security isn't optional. It's part of the product.

Explore PageIndex on GitHub, try the chat platform, or integrate it through MCP or API, and follow along as we share more about our security roadmap.